pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Depending on security/ca-certificates?

Martin Husemann <> writes:

> On Tue, Jul 20, 2021 at 02:58:21PM +0200, Rhialto wrote:
>> Some package systems have the concept of "recommended" or "suggested"
>> packages. If we had that, such dependencies could be expressed that
>> way.
> I think (as Greg said) it is an issue with the NetBSD base system and should
> be solved there. Main problem is to agree on the set of trusted CAs and
> having a proper way to update that set.
> If someone solves the set + infrastructure, I'll hapilly deal with
> build + install issues ;-)
> Does anybody know what exact differences in trusted CAs other open source
> OSes use?

My impression is that everybody who does preconfigured trust anchors
uses the Mozilla set.

I am not clear on how many people believe "every member of the mozilla
set is trustworthy".

It seems like tricky, unpleasant and dangerous business to deviate from
the mozilla set.

So I lean to a question in the installer (and a command-line program) to
configure and deconfigure those, and not just silently doing it.

I don't see why prestaging mozilla-rootcerts-openssl and
mozilla-rootcerts packages is bad, but one could also have the same
code/contents in base vs pkgsrc and not drag in anything pkgsrc, which
seems better.

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index